Can Delete a Repository with a naked GET request
Reported by mrflip | August 22nd, 2008 @ 12:26 AM | in 3. Eventually
It looks like I can kill a repo just by entering its naked url like http://github.com/mrflip/permali... Maybe this is only for a new repo -- I didn't really want to experiment all that aggressively.
Being able to delete with no confirmation is kinda scary: imagine a malicious entry on the wiki of some repository, or just a fumblefingers bringing up a months-old delete request from my browser's history bar.
This should require a POST method and maybe even a nonce token from the edit page or something.
Comments and changes to this ticket
-
Tekkub August 22nd, 2008 @ 12:08 PM
- → State changed from “new” to “open”
- → Assigned user changed from “” to “defunkt”
-
Scott Chacon October 9th, 2008 @ 07:27 PM
- → Milestone changed from “” to “3. Eventually”
- → Tag changed from “bug idiotproofing repo security” to “bug bug idiotproofing repo security”
-
defunkt October 27th, 2008 @ 06:47 PM
- → State changed from “open” to “resolved”
This should be fixed.
Please Login or create a free account to add a new comment.
You can update this ticket by sending an email to from your email client. (help)
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
